Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
k
Keith Bozek
01/23/2023, 7:43 PMHi. I am using the version v4.0.0.0 release. Regarding win_registry_events - I have been trying to get registry change detection to work. I want to monitor some additional keys. I have tried test cases monitoring/creating/deleting registry keys in areas where is is supposed to monitor and I never see the changes logged as win_registry_events. I must be missing something. I am running Windows 10 Pro, US-EN, 22H2, 19045.2486. For the sake of simplicity, I want to monitor HKEY_CURRENT_USER\Keyboard LayoutHKEY_CURRENT_USER\Keyboard Layout. I have followed the pattern but it does not show a win_registry_events in the log.
h
himanshu
01/24/2023, 11:49 AM@Keith Bozek thanks for writing to us. Assuming that you have already put in place registry event filters as specified in osquery.conf file here: https://github.com/eclecticiq/osq-ext-bin/blob/v4.0.0.0/osquery.conf, refer this json section:
"plgx_event_filters" -> "win_registry_events" -> "target_name" -> "include" -> "values"
Add a filter string as below, then you should see desired registry event.
"\\REGISTRY\\USER\\*\\Keyboard Layout\\*"k
Keith Bozek
01/24/2023, 11:58 PMThank you for such a quick response. I did a reset of my osquery clearing the database and logs. I replaced the original osqurey.conf file and used the one from the link with the one entry above(see attached). I then tried to create a new registry value. I ahve attached the simple scripts and the reg key export just from that are of the hive. I expected to see a win_registry_events entry in the osqueryd.results.log.
Do I have to create a scheduled query against the win_registry_events table to harvest?
I assumed replacing my config with https://github.com/eclecticiq/osq-ext-bin/blob/v4.0.0.0/osquery.conf, and then adding the one line as above, I would see an entry. I've included procmon snapshot of running the vbs script in the exact same context. You can see the ring3 and ring0 calls. I was looking for evidence in the log that would correlate the call. I then went to my OSquery log and extracted the same wscript calls but no registry output. I have attached that log. This is a VmWare workstation professional 17 VM. It is a plain as it gets.
Thanks again for your help. I am at a loss at the moment.
h
himanshu
01/25/2023, 5:07 AMyes, you will need to add a scheduled query on win_registry_events. default conf published does not have it on win_registry_events.
k
Keith Bozek
01/25/2023, 3:57 PMThanks. I will give that a try.
o
OpenPlgx
01/26/2023, 3:13 PMDid that work @Keith Bozek?
k
Keith Bozek
01/27/2023, 4:18 AMHi,
I was modifying my configuration file and I messed it up. I was unable to get to it yesterday so I am now fixing it. I will most certainly update you 🙂 . I am so very close. I was womdering what a good query interval is for registry events?
o
OpenPlgx
01/27/2023, 1:25 PMA “good” query interval is subjective and is dependent on use case.